IMPROVING SECURITY THROUGH VISIBILITY. Computational Auditing and Horizontal Supervision

Transcription

1 IMPROVING SECURITY THROUGH VISIBILITY Computational Auditing and Horizontal Supervision Fouad Gaddur TNO Göteborg 9 November

2 Overview Introduction Background What is computational auditing & horizontal supervision? Information Quality Assessment Framework Example Purpose of methodology Categorization of IQ metrics Administrative Organization Segregation of duties Flowchart AO Control Principles Events & Data 5 step IQAF Concluding remarks 2

3 Introduction Fouad Gaddur TNO Defense, Safety & Security Project CASSANDRA WP200 TNO, EUR and Dutch Tax & Customs 3

4 Background 4

5 Background 5

6 Background 3CE Customs Import Entry Analysis 100,754 import customs declarations analysed 85,28% 89,925 records contained some narative description 14,72% 14,829 records contained no narative description 12,30% 12,388 records contained enough product detail to enable validation of the HS code 6

7 Background 3CE Customs Import Entry Analysis 87.70% Over 88,000 records contained insufficient data to assess a correct text description or HS code to 6-digits 7

8 Computational Auditing Model based auditing approach Enterprise-level rules stock and flow equations Link up with important bookkeeping variables, such as sales, inventory etc. Value cycle model (Starreveld) 8

9 Computational Auditing 9

10 Supply Chain Actors Layer Document Layer Government Layer Horizontal supervision System Based Approach Customs

11 Purpose of IQAF 1) How good is a business system s information quality? Quantify the measurement of information quality (quality metrics) 2) How good is enough? Managing the problem of poor information quality. How can we have information which is sufficient timely, reliable and complete for risk management. Principles of computational auditing 11

12 Categorization IQ Metrics Category w.r.t. Usability Index Info Quality Dimensions Intrinsic 1 Objectivity (factual) Definition Reflecting actual business activities, free of bias Relation to Information Quality Assessment in CASSANDRA Whether data generator and/ or custodian are reliable in providing objective data 2 Accuracy Sufficiently precise Whether data generator and/or custodian are reliable in providing accurate data 3 Reputation (believability, credibility) Regarded as reliable in terms of source and content This will be the reliability score, i.e. the aggregated output of the Assessment Methodology 4 Consistent value Correctness, free-of-error Whether the data are verifiable by cross checking Accessibility 5 Accessibility Information available, or easily retrievable N/A, information is assumed to be available to and from data pipeline 6 Access security Generation and processing of information restricted to maintain security Contextual 7 Completeness Information reflecting all business activity, and no missing record 9 Relevancy (valueadded) 10 Timeliness (version control) 11 Aggregation level (or volume of data) 12 Understandability (interpretability) Representational 8 Comparability (consistent semantics) 13 Correct representation 14 Concise representation 15 Consistent representation Semantically correct, use same alias (or numeric value) to refer the same meaning, e.g. consistency in using currency or metric unit Information helpful for task (decision support) Up-to-date Volume of data appropriate for task (decision support) Easy to comprehend, or the underlying semantics of data (meta-data) is sufficient and matches the knowledge background of decision maker Meaningfulness, lack of confusion Use appropriate alias, format and syntax Use same alias, format and syntax Whether data generator and custodian are reliable w.r.t. access control Whether data generator and/or custodian are reliable in providing complete data Whether data generator and custodian can manage the semantics consistency N/A, information is assumed to be relevant (otherwise not shared) Whether data generator and custodian are reliable in providing timely data Usefulness in risk assessment depend on purpose of analysis Whether there is sufficient meta-data accompanying the shared data available for decision-maker (risk manager) to comprehend and analyze the shared data Whether the data custodian is able to manage the representation Whether the data custodian is able to manage the representation Whether the data custodian is able to manage the representation 12

13 Administrative Organization Responsible for organizing the information from a business system Poor information quality Poor quality of administrative organization How to improve? An administrative organization has to have two sphere s ( operational control sphere) An administrative organization has to have control principles 13

14 Segregation of duties Relation of Control aspect and Operational aspect of Administrative Organization 14

15 Flowchart AO Information-flows and Workflows of Control in Administrative Organization 15

16 Control principles AO P1. Does the control activity exist and follow the corresponding operational activity? P2. Can the control actor directly witness the execution of the operational activity? If not, is the evidencing (witnessing) activity delegated to an evidencing actor (trusted third party)? P3. Is there a supporting document furnishing the evidencing activity? P4. Is the supporting document the result of the previous evidencing activity directly witnessing the operational activity to be controlled? P5. Is the supporting document directly transferred to the control actor from the evidencing actor who witnesses the operational activity to be controlled? P6. Is the supporting document generated by an actor independent of the actor who generates the to-be-verified document? P7. Are the operational activity and its corresponding control activity segregated into two different positions and done by two different actors? P8. Are the actors responsible for the operational activity and its corresponding control activity socially detached? 16

17 Events in Supply Chain Event 1: Purchase Order (multiple messages sent at same time) Event 2: Export Booking Completed Event 3: Empty Container Pickup (multiple messages sent at same time) Event 4: Transport Milestones Event 5: Stuffed (multiple messages sent at same time) Event 6: Commercially Invoiced(multiple messages sent at same time) Event 7: Cleared for Export(multiple messages sent a same time) Event 8: Transport Milestones Event 9: Confirmation of exit Event 10: Export Completed 17

18 Data linked to events 18

19 IQA Framework Identify supply chain actors Step 1 Step 2 Select Information Identify events & datums Quality Metrics Configure IQM according to events & datums Step 3 Step 4 Score Establish rules Cross reference Levels of Data Quality Step 5 Computational Auditing Segregation of duties Dashboard 19

20 Physical DATA Data pipeline & Events Integrated Data Pipeline Event: Booking completed Event: Cleared For export Event: Export completed Event: Stuffed & Invoiced 2 Completenes s Computational Auditing SCORE 5 Accuracy Timeliness 5 High Reliability 1 Information Quality Assessment 3 4 Empty depot P P Empty depot Consignor City Port A Port B City Consignee 20

21 Concluding remarks Better risk assessment by governments and businesses Detect quality problems of information (incorrect recordings of business activities) Businesses will have a framework to show their level of internal control Stimulate top-down governmental supervision to horizontal supervision 21

22 22

23 Implementation steps RBA STEP 1 STEP 2 STEP 3 STEP 4 STEP 5 Identification of supply chain configuration Identification of processes and problems Analysis and recommendations Validation and refinement Operationalization 1. Identification of supply chain configuration Who are the supply chain actors (tradelane partners, including sub-contractors)? How are the supply chain actors related? Data modeling effort 2. Identification of processes, problems and existing mitigating measures 3. Analysis and recommendations 4. Validation and refinement 5. Operationalization 23

24 Example 24